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This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a 
sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying 
FinFisher’ s “anonymizing proxies” to unmask the true location of the spyware’ s master servers. Since the master 
servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which 
governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a 
government by correlating our scan results with publicly available sources. Our results indicate 32 countries where 
at least one government entity is likely using the spyware suite, and we are further able to identify 10 entities by 
name. Despite the 2014 FinFisher breach, and subsequent disclosure of sensitive customer data, our scanning has 
detected more servers in more countries than ever before. 


Executive Summary 


FinFisher is a sophisticated computer spyware suite, written by Munich-based FinFisher GmbH, and sold exclusively to 


governments for intelligence and law enforcement purposes. Although marketed as a tool for fighting crime, | the 
spyware has been involved in a number of high-profile surveillance abuses. Between 2010 and 2012, Bahrain’ s 
government used FinFisher to monitor some of the country’ s top law firms, journalists, activists, and opposition political 


3 


leaders.? Ethiopian dissidents in exile in the United Kingdom» and the United States* have also been infected with 


FinFisher spyware. 


In 2012 and 2013, Citizen Lab researchers and collaborators,> published several reports analyzing FinFisher spyware, and 
conducted scanning that identified FinFisher command and control (C&C) servers іп a number of countries. In our 
previous research, we were not yet able to differentiate between FinFisher anonymizing proxies and master servers, а 
distinction that we make in this work. 


When a government entity purchases FinFisher soyware, they receive a FinSpy Master—a C&C server that is installed on 


the entity’ s premises. The entity may then set ир anonymizing proxies (also referred toas “proxies” or “FinSpy 
Relays” inthe FinFisher documentation), to obscure the location of their master. Infected computers communicate with 
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the anonymizing proxy, which is “usually” ^ set up on a Virtual Private Server (VPS) provider in a third country. The proxy 


then forwards communications between a victim’ s computer and the Master server. 


We first describe how we scanned the Internet for FinFisher servers and distinguished masters from proxies (Part 1: Fishing 
for FinFisher). We then outline our findings regarding 32 governments and 10 specific government entities that we believe 
are using FinFisher (Part 2: Country Findings). Finally, we highlight several cases that illuminate connections between 
different threat actors (Part 3: A Deeper Analysis of Several Cases), before concluding (Conclusion). 


Part 1: Fishing for FinFisher 


In this section, we describe our scans for FinFisher servers, and how we unmasked the true location of the master servers to 
identify governments using FinFisher. 


Each FinFisher sample includes the address of one or more C&C servers that the spyware reports back to. These C&C 
servers are typically FinSpy Relays, which forward connections back and forth between a device infected with FinFisher, 
and a FinSpy Master. The purpose of the FinSpy Relayis explicitly to make it “practically impossible” (their emphasis) for 


a researcher to discover “the location and country of the Headquarter [sic]” 8 
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Figure 1: How targets infected with FinFisher communicate with the FinSpy Master via one or more FinSpy Relays.” 


We employed ттар! 0 to scan the entire ЇРу4 Internet (/0) several times since the end of December 2014 and throughout 
2015, using a new FinFisher server fingerprint that we devised by analyzing FinFisher samples. Our scans yielded 135 
servers matching our fingerprint, which we believe are a mix of FinSpy Masters and FinSpy Relays. 


When one queries a FinFisher server, or types the server’ s address into a web browser, the server typically returns a 
decoy page. A decoy page is a page designed to disguise the fact that the server is a soyware server. We found some 
variation in the decoy pages used by FinFisher servers that we detected, though the bulk used either www.google.com 
or www.yahoo.com. Peculiarly, FinSpy Relays appear to return decoy pages fetched by their FinSpy Master, rather than 
directly fetching the decoy pages themselves. Thus, in many cases, the pages returned by the FinSpy Relays contain 
location data apparently about the FinSpy Master (e.g., certain Google and Yahoo pages embed the requester’ s IP 
address or localized weather), which can reveal the location of FinSpy Masters. 


Okay Google, What is my IP? 


We noticed that when we issued a query like “What is my IP address?” to а Google-decoy FinFisher server, the server 
would respond with a different IP address. In the case below, a FinFisher server 206.190.159.xxx (located in the United 
States) reported that its IP address was the Indonesian IP 112.78.143.xxx, which matches a FinFisher server first detected in 


August 2012 by Claudio Guarnieri. ! ! We hypothesize that 206.190.159.xxx is a FinFisher proxy, designed to obscure the 
location of the FinFisher master, which is at 112.78.143.xxx. 


“б D> фр O [е 206.190.159 ff/search?q=my+ip+address &nord=1 м (| [BY startpage a p 2 6 х 
Google my ip address a] 
Web Apps Shopping fideos News More ~ Search tools a 


Your public IP address is 112.78.143 f- Lear more 


Figure 2: A FinFisher server in the US seems to be a proxy for a master in Indonesia. 
Specifically, we sent queries of the form: 
GET /search?q=mytiptaddress&nord=1 HTTP/1.1 


Host: [ip of server] 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 


Figure 3: Queries we sent to Google-decoy FinFisher servers to reveal the IP address of the master. 12 


The fact that FinFisher proxies can apparently reveal the IP of the master is quite peculiar. We illustrate below how we 
believe a query like “What is my IP address?” is routed through FinSpy Relays to the FinSpy Master: 
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Figure 4: How we believe а “What is my IP address?” query is routed through FinSpy Relays іо a FinSpy Master. 


It appears that the “Whatis my IP Address?” query is delivered from our Measurement Machine by the FinSpy Relay to 
the FinSpy Master, and then submitted to Google by the FinSpy Master. Therefore, Google returns the IP address of the 
FinSpy Master, which is then sent back to the Measurement Machine via the FinSpy Relay. 


How’ s the Weather in Caracas? 


A significant number of FinFisher servers we detected used www.yahoo.com as their decoy page. While we were unable 
to devise a method to find the exact IP address of Yahoo-decoy FinFisher endpoints, we were still able to retrieve location 
information from Yahoo, by examining the userLocation object in the decoy page’ s source code. Yahoo utilizes a 

user’ s location to customize several elements of Yahoo’ s homepage, including weather and news. 


Caracas 9 
90 °F Nublado : 
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Hoy Mañana Domingo 
80° 83° 82° 


Figure 5: Weather conditions in Caracas returned by a FinFisher server in Lithuania. 


The userLocation object returned by 185.8.106.xxx (located in Lithuania) is shown below: 


"userLocation": 
{"woeid":395269, 
"zip":"Caracas", 
"city":"Caracas", 
"state":"Distrito Federal", 
"country":"Venezuela", 
"countryCode":"VE", 


8! 


Figure 6: A FinFisher server in Lithuania seems to be a proxy for a master in Venezuela. 


The userLocation object allows us to obtain city and country information for FinFisher endpoints, though we cannot 
determine their precise IP address. We issued a query similar to the following to each Yahoo-decoy FinFisher server to 
obtain a page with the userLocation object: 


GET https://www.yahoo.com/ HTTP/1.1 
Host: www.yahoo.com 
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 


Figure 7: Queries we sent to Yahoo-decoy FinFisher servers to reveal the location of the master. 13 


Since Yahoo, like Google, implements SSL redirection by default, we had to devise a method to talk to Yahoo in plain 
HTTP. While Google provides the “nord=/” URL parameter to avoid SSL redirection, Yahoo apparently does not have 
an analogous publicized solution. However, we found that by sending plain HTTP GET requests to the resource 

“https://www.yahoo.com/” we could communicate with www.yahoo.com in plain HTTP without triggering SSL 
redirection. 


Other Decoys 
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While the majority of FinFisher servers we detected used either Google or Yahoo as a decoy page, we identified a 
number of other servers whose operators had apparently customized the decoy page to a different URL. 


One server used the Italian news source libero.it as a decoy. We noted that libero.it sets the “Libero” cookie, which 
contains the IP address of the computer that visited the libero.it website. When accessing 185.8.106.xxx, the Libero-decoy 


FinFisher server, the cookie was set to include the Italian IP 93.146.250.xxx.!4 Servers that we traced to Macedonia used 
Macedonian newsmagazine time.mk as a decoy. Servers we traced to Taiwan used Taiwanese web portal 
pchome.com.tw as a decoy. We were unable to trace other servers which used file download site filehippo.com as a 
decoy. A handful of other untraceable servers returned custom HTML code as a decoy (e.g., a webpage with a META 
redirect to www.google.com). 


General Comments 


This design peculiarity is only the latest instance of fingerprintable anomalies in руууаге decoy pages. FinFisher 
competitor Hacking Team formerly used decoy pages on its C&C server for Remote Control System (RCS), but apparently 


removed them!® after our research revealed that anomalies in the decoy pages could be used to fingerprint RCS 


servers. ! 6 We have also previously used decoy pages to fingerprint FinFisher servers.!” We believe that FinFisher or its 
clients may also be realizing that decoy pages are problematic, as we have observed fewer FinFisher servers returning 


decoy pages over time. 


Part 2: Country Findings 


In this section, we provide a list of likely FinFisher government users identified by our scans, and also map out which FinSpy 
relays serve which FinSpy Masters. 


Below, we identify 33 likely government users of FinFisher in 32 countries, based on the presence of a FinFisher master at 
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an IP address in a country ° or belonging to a specific government department. 


FINFISHER SPYWARE "teen ab 2015 


АА 


Suspected Government Users In 2015 


Figure 8: Suspected FinFisher government users that were active at some point in 2015. 


In presenting our scan results, we do not wish to disrupt or interfere with legitimately sanctioned investigations or other 
activities. Instead, we hope to ensure that citizens have the opportunity to hold their governments transparent and 
accountable. To this end, we identify government users, but redact certain details we have discovered about their 
infrastructure whose disclosure might interfere with legitimately sanctioned activities. Redacted details include the last 
octet of live IP addresses, and part of live domain names. Appendix A contains a full list of countries and servers. 


Country | Specific entity if known 


Angola 
Bangladesh Directorate General of Forces Intelligence (DGFI) 


Belgium 


Federal Police 


Bosnia and Herzegovina | 


Czech Republic 
Egypt Technology Research Department (TRD) 


Ethiopia | 


Gabon | 


— o 
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indonedea 1, National Encryption Body (Lembaga Sandi Negara) 
2. Unknown other entities 

Italy Unknown multiple entities 

Jordan 

Kazakhstan | 

Kenya National Intelligence Service (NIS) 

eer 1. General Directorate of General Security 
2. Internal Security Forces (ISF) 

Macedonia 

Malaysia | 

Mexico | 

Mongolia Special State Security Department (SSSD) 

5 1. Conseil Superieur Be La Defense Nationale (CSDN) 
2. Unknown other entities 

Nigeria Unknown multiple entities 

Oman | 

Paraguay 

Romania 

Saudi Arabia | 

Serbia Security Information Agency (BIA) 

Slovenia 

Spain 

Taiwan | 

Turkey 

Turkmenistan 

Venezuela | 

South Africa | 


The following is a list of countries where neither our previous research nor documents disclosed by Wikileaks !? had 
previously found evidence of a FinFisher deployment: Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, 
Morocco, Oman, Paraguay, Saudi Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela. 


In the diagram below, we map out FinFisher proxy networks: the FinSpy Relay servers we found, and the FinSpy Masters to 


which we linked them: 
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FINFISHER PROXY NETWORKS ЫБЫ 


Proxy origin & destination countries of FinFisher deployments 


Figure 9: Links we established between FinSpy Relays and FinSpy Masters. 


Given previous reports that observed weaknesses in certain cryptography that FinFisher uses to transmit information from 


an infected device to the FinSpy master, 20 locating FinFisher collection infrastructure in another country could potentially 
invoke concerns about “fourth party” collection, where a government collects data collected by another 
government’ s surveillance operation. We have also previously identified potential legal concerns regarding locating 
relays in other countries.2! 
Attribution to Specific Entities 


We attributed some FinFisher Master servers to specific government entities by correlating our scan results with publicly 
available data, including emails from FinFisher’ s competitor Hacking Team. This section briefly describes how we 
identified these entities, and summarizes what is publicly known about their functions. While we do not provide a vignette 
for each country where we have identified FinFisher, we note that a number of countries have dubious or problematic 
histories of oversight of the security services. 


Bangladesh 


Directorate General of Forces Intelligence (DGFI) 


Our investigation uncovered a FinFisher server at an IP address in the same /30 as the mail server for Bangladesh’ s 
ГОР, [redacted].dgfi.gov.bod. Additionally, leaked Hacking Team emails claim that Bangladesh’ s ОСЕ is a 


FinFisher customer.22 


Established іп 1976, the Directorate General of Forces Intelligence (DGFI) is Bangladesh’ s military intelligence agency. 
The director of the agency holds the rank of Lieutenant General or Major General and directly reports to the Prime 


Minister.29 In a report published іп 2008, Human Rights Watch associated the ОСЕ with long-standing human rights 
24 


violations (e.g., torture and extrajudicial killings) and the stifling of political opposition in the country. 


The US State Department has reported that the ОСН has previously conducted surveillance on citizens for their criticism of 
the government.22 Leaked emails show that ОСН officials were engaged in discussions with FinFisher’ s competitor 


Hacking Team in June 201 4.26 
Belgium 


Federal Police Service 


Our investigation found a FinFisher server in a /28 assigned to Belgacom, denoted “SKY-5904592 / SOCC-2131136.” 
This range of IP addresses also contained several servers returning SSL certificates issued by and to “Federal 
Police.” Two IP addresses in this range were also pointed to by two subdomains of raspol.be, a domain name 
registered to “Massimo Moschettini / ISRD NTSU / Police Fédérale.” 


Belgium’ s Federal Police Service was established in January 2001. The agency is headed by a General Commissioner 
who coordinates the work of five general directorates, including administrative police, judicial police, operational 


support, logistics, and human resources, as well as several departments that report directly to him/her.2/ Leaked Hacking 
Team emails have revealed the company’ s participation іп a tender for “tactical interception of communications via 


computer systems” by the Belgian Federal Роїсе.29 


Serbia 
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Security Information Agency (BIA) 


Our investigation found a FinFisher server in the same /26 as bia.gov.rs, the website of Serbia’ s Security Information 
Agency (ВІА). The server was also іп the same /28 as a computer that identified itself to Shodan as “DPRODAN- 


PC” 29 According to the leaked Hacking Team emails, a person with the email dprodan@open.telekom.rs 


contacted Hacking Team in reference to a February 8, 2012 demo in Веїогаае.20 From February 7-9, 2012, Hacking 
Team was in Belgrade to give a demo to a potential client, Vladimir Djokic, who worked for the BIA according to his 


email address vladimirdj@bia.gov.rs.2! 


server we found belongs to the BIA. 


hus, we believe “dprodan” is also a BIA employee, and the FinFisher 


Serbia’ s Security Information Agency (BIA) was created in 2002 by the Law on the Security Information Agency. BIA is a 


civil national security service and a part of the security-intelligence system of the Republic of Serbia.32 


While the BIA is generally regarded as operating with appropriate oversight and as being free from major abuses, some 
elements of its electronic surveillance practices have been challenged. Prior to 2014, the Law on the Security Information 


Agency was considered to be not in compliance with the constitution. In 2012, a constitutional court struck down several 
provisions of the Law on the Security Information Agency, ruling that Articles 13, 14 and 15 of the Law, which govern the 
wiretapping of private communications, were unconstitutional.23 The court ruled that these Articles were “not 
formulated clearly and precisely enough” and that citizens are “thus prevented from ascertaining which legal rule will 
be applied in the given circumstances and are thus deprived of the possibility to protect themselves from inadmissible 
restrictions of their right or arbitrary interference in their right to respect of their private life and correspondence” 34 
Further, measures related to the ability of the BIA’ s Director to authorize wiretapping in some circumstances without a 


court order were also challenged.29 The court delayed its decision in order to give legislators the opportunity to revise the 


offending Articles in the Law.36 The amendments to the Law were adopted in June 201 437 While acknowledged as a 
positive step, these amendments have been criticized as remaining “insufficient to fully democratize surveillance that is 


carried out by the BIA” 38 


Leaked emails indicate that members of the Security Information Agency and the Ministry of Defense engaged in 


purchase negotiations with FinFisher’ 5 competitor Hacking Теат.3? 


Egypt 


Technology Research Department 


We found a FinFisher server at IP address 62.114.252.xxx. We also found an email in the leaked Hacking Team emails 
that, according to the headers, was sent from the same ЇР ааагеѕѕ.40 The email was sent by Hacking Team 


41 


employee Davide Romualdi on June 25, 2015, when he was scheduled to be performing delivery“ in Egypt for 


Hacking Team customer TREVOR, identified as the TRD42 (Technology Research Department).43 Thus, we believe 
the email was sent from the premises of the TRD, and the ЇР address 62.114.252.xxx belongs to the TRD. 


Egypt’ s troubling human rights situation has continued to deteriorate under President Abdel Fattah al-Sisi. In recent 


years, cases of mass arrests, significant violence against protesters and due process violations have increased.44 
Numerous Egyptian security agencies are permitted to conduct electronic surveillance, frequently with limited court 
oversight. In somes, personal data improperly collected from civil society actors has led to their arrest and 


imprisonment.4° While there is limited open source information available about the activities of the Technology Research 
Department, we closely examine a malware campaign linked to TRD infrastructure in Part 3 of this report. 


Indonesia 


National Encryption Body (Lembaga Sandi Negara) 


Two of the FinFisher servers we found in Indonesia were in the same /28. We found an ЇР address in this same /28 


included in the headers of an email sent by a Hacking Team employee“? while he was in Indonesia‘7 performing a 


demo for the National Encryption Body. The email was sent at 12:39 PM Jakarta time on February 6, 2013, anda 
meeting at the agency was set for 10:00 AM on the same day.48 Thus, it seems probable that the email was sent 
from the premises of the National Encryption Body, and that the two FinFisher servers belong to the same 
organization. 


The National Encryption Body is an agency headed by a director, who has the same stature as a minister and reports 
directly to the President. In a recent interview, the Body’ s current director, Major General Djoko Setyadi, describes the 
agency’ sresponsibilities as, among others, securing state secrets and decrypting/decoding communication from 
would-be terrorists.47 
The threat of terrorism is a concern for Indonesia. Several bombing incidents have occurred in the country, including two 
Western hotels in the capital city of Jakarta in 2009. As the world’ s largest Muslim-majority country, the emergence of 
the Islamic State of Iraq and the Levant (ISIL or ISIS) has also resulted in concerns that their militant ideology will gain 


ground. Itis believed that as many as 200 Indonesian citizens have headed to Syria to fight with 151.20 Challenges from 
restive regions like Papua and Central Sulawesi are also ongoing. There are fears that the fight against these threats may 
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be used as justification to perpetrate human rights abuses, such as to target others for their religious or political beliefs 
and to kill suspected militants unlawfully. 


In 2013 Citizen Lab report, we identified at least twelve laws, two government regulations, and two ministerial regulations 
that govern wiretapping and interception in Indonesia. Although wiretapping and interception are helpful, and 
sometimes even necessary to expose crimes such as terrorism, drug trafficking and corruption, the lack of comprehensive 
legislation regulating their use in Indonesia means that there is an increased risk for misuse and privacy violations.°! 
Kenya 


National Intelligence Service 


We found a FinFisher server in a range of IP addresses registered to a Kenyan user named “National Security 
Intelligence.” Kenya’ s National Intelligence Service (NIS) was formerly known as the National Security Intelligence 
Service (NSIS). 


Kenya’ s NSIS replaced the former Directorate of Security Intelligence (DSI), commonly known as the “Special 


Branch” 52 The NIS is known as опе of Kenya’ s security institutions with the biggest budgetary allocation—along with 
the Kenya National Defence Forces and the National Police Service—and considered to be among the country’ s 


critical security organs in the new constitution. 93 In 2014, Human Rights Watch named the NIS, as well as the Anti-Terrorism 
Police Unit and other Kenyan intelligence agencies, as being implicated in abuses including torture, disappearances, 
and extrajudicial killings. °4 


The powers of the NIS were expanded significantly in December 2014 when the Parliament of Kenya rushed to pass the 
controversial Security Laws (Amendment) Bill. °° The amendments came following a series of deadly terrorist attacks by 


the militant group al-Shabab, including the 2013 killing of 67 people at the Westgate shopping mall in Nairobi.°® This bill 
expanded the powers of the NIS to monitor communications without a warrant, as well as expanding their powers to 


search and seize private property.2/ Article 62 of the amended bill authorized NIS agents to “do anything necessary to 
preserve national security” and to detain individuals on simply the suspicion of engaging in acts which pose a threat to 


national security. Section 66 of the bill amended the National Intelligence Services Act, permitting the Director General 
of the NIS to monitor communications or “obtain any information, material, record, document or thing” in order to 
protect national security, without court oversight, leading rights organization Article 19 to argue that the amendment 


“effectively [gives] carte blanche to the Director-General to order mass surveillance of online communications” 59 


While a court ruling in February 2015 struck down some provisions of the amendment, the provisions enhancing the 


powers of the NIS гетапеа.0 


Lebanon 


General Directorate of General Security 


We found a FinFisher server in a range of IP addresses registered to a Lebanese user named “General_Security.” 
We assume that “General_Security” is а геѓегепсе to the General Directorate of General Security. 


Lebanon’ s General Directorate of General Security was established in 1921 under Decree No. 1061 6 The functions of 
the General Security include collecting and gathering intelligence, monitoring the media, and issuing passports and 


travel documents to Lebanese citizens.o2 The organization is categorized as a general directorate under the supervision 


of the Ministry of Internal Affairs.63 


Although Lebanon has legislation (Law No. 140) which establishes safeguards and oversight protecting electronic 


communications from unlawful surveillance, there is a systemic practice of this law being ignored.94 Privacy International 
has criticized the surveillance practices of Lebanon’ s intelligence agencies, suggesting that the agencies, including the 
General Directorate of General Security, operate without sufficient independent oversight, and that a lack of trust 


between different agencies leads the groups to operate their own operations out of view of the Ministry of the Interior.6® 


Controversies surrounding government surveillance practices have become particularly salient in the wake of several 
recent high-profile assassinations, including the 2005 killing of Prime Minister Rafik Hariri. Organizations investigating the 
assassinations have had “unregulated access to the data of private citizens” , including mobile phone records, which 
raises privacy concerns.°° 


Internal Security Forces 


We found a FinFisher server at a Lebanese ЇР address that was formerly pointed to by what was apparently a mail 
server with domain “[redacted].intelligence.isf.gov.lb” іп 2012. We assume that the ІР still belongs to the Internal 
Security Forces (ISF). 


The Internal Security Forces (ISF) are the national police and security force of Lebanon. The ISF? s creation was 


mandated by Decree 138 in 1959.97 Throughout its history, the ISF has had a troubled record of human rights abuses, in 
spite of recent efforts to promote proper conduct within the organization. In consultation with the UN Human Rights 
Office, the ISF adopted a January 2012 code of conduct designed to ensure the forces’ operations guaranteed respect 
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for human rights and public freedoms, including “refraining from resorting to torture, cruel, inhumane and degrading 
treatment” 68 However, a number of incidents in recent years have called into questions the effectiveness of this code 
of conduct. 
An extensive Human Rights Watch report in 2013 detailed dozens of instances of vulnerable individuals subject to physical 
abuse, torture and sexual assault at the hands of ISF officials.©? In June 2015, five ISF officers were arrested after videos 
released on social media showed the officers beating prisoners./2 The ISF and other state agencies have summoned and 


questioned bloggers, journalists, and activists over social media and blog posts critical of politicians.” | 


The organization also has a history of overreach in the collection of Lebanese citizens’ private user data. In 2012, it was 
reported that the ISF had requested that the Ministry of Telecommunications turn over the content of all SMS text 
messages sent over a two month span for all users in Lebanon, followed later by a request for Lebanese users’ login 


credentials for BlackBerry Messenger and Facebook.’2 The request was made following the assassination of the ISF’ s 


Information Branch head Wissam al-Hassan, and was rejected by the Ministry.” S 


Morocco 
Conseil Superieur De La Defense Nationale (CSDN) / Supreme Council of National Defense 


We found a FinFisher server in a range of IP addresses registered to a Moroccan user named “Conseil Superieur De 
La Defense Nationale.” We assume that this is a reference to the eponymous agency. 


There is limited open source information available about the activities of the CSDN. Leaked Hacking Team emails 
indicate that the CSDN — among other Moroccan Government agencies — was a customer of FinFisher’ s competitor 
Hacking Team. 


In 2012, spyware from Hacking Team was used against Mamfakinch, an award-winning group of Moroccan citizen 
journalists.’4 Privacy International released a report detailing the impact of surveillance on the group, as well as other 


political activists and journalists.7> 
Mongolia 
State Special Security Department (SSSD) 
We found a FinFisher server at a Mongolian IP address in the same /28 as an IP address pointed to by the domain 
“td.sssd.mn.” We believe that “SSSD” is areference to the Mongolian agency of the same name. We also 


found what appears to be a test or demonstration FinFisher sample, whose bait content includes emails apparently 
between Gamma Group and Mongolia’ 8 SSSD, discussing a visit by Gamma personnel to Mongolia. 


There is limited open source information available about the SSSD; however, leaked emails from the spyware firm Hacking 
Team indicate that in 2012 the company was in contact with members of the 550.76 Additional leaked emails from 2013 


indicate that Hacking Team scheduled a product demonstration with the SSSD in April 201 3.77 


Part 3: A Deeper Analysis of Several Cases 


The following section provides additional details for several countries 
Egypt: Use of FinFisher illuminates connections between different groups 


We noted an interesting connection between Egypt’ s Technology Research Department (TRD) and two other malware 
groups in the region: MOLERATS, and an as-yet uncharacterized group. We have previously observed both groups 
targeting UAE-based activists. 


MOLERATS Attacks with FinFisher 


We found an Egypt FinFisher sample, Egyptian_army.rar, hosted on google.wwwhost.biz. 


SHA256: 1610#с805#980#5с70сес8е138ра800601ерс86919#42Ь375с#Ь161себ3бба48 


Filename: Egyptian_army.rar 


Extracting the .rar file yields an .exe file. 


SHA256: 94abf6d£38F26530da2864d80ela0b7cdfce63£d27b142993b89c52b3cee0389 
Filename: ilẹ! «Lail да) фе! 42 e Даа aos узе.ёхөе 


The name of the .exe file promises pictures of Jordanian Air Force pilot burned alive by ISIS, a popular news story at the 
time. 


We suspect that the domain name google.wwwhost.biz is linked to MOLERATS, a threat actor active іп the Middle East 
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region that appears to engage in politically motivated targeting. We describe the link below: 


. google.wwwhost.biz had IP address 200.74.241.111 at the same time as info.dynamic-dns.net, which also had IP 
address 192.161.48.59, shared with update.ciscofreak.com, which also had IP address 162.220.246.117. This IP 


address is linked to several Known MOLERATS domains, like natco{1 .2,3,4,5}.no-ip.net,/® and uae.kim.7? 


. google.wwwhost.biz also hosted two DarkComet samples, which communicated with r.ddns.me, which shared ІР 
address 198.105.125.158 with a.ddns.me, which shared IP address 23.229.3.37 with MOLERATS domain test.cable- 


modem.org.22 


. google.wwwhost.biz also hosted a GMail phishing page, 64с1еї8е09230М4ааа96саер2806с11, also hosted by 
googlecombaq6éxx.ddns.net, which shared IP address 131.72.136.28 with tvnew.otzo.com, which shared IP address 


172.227.95.162 with several known MOLERATS domains, like natco{1,2,3,4}.no-ip.net,8! and uae.kim.92 
. google.wwwhost.biz served a Hotmail phishing page, 57ab5f60198d31 1226cdc246598729ea, also served by 
google.com.r3irv2yknO0qnd7vr7sqv7kg2qho3abStngl5avxisiimz1jxw9pa9.uae.kim; uae.kim is a known MOLERATS 
83 


domain. 


A significant portion of MOLERATS bait content we have observed indicates targeting of Israel and “political Islam” 
groups like Hamas. This MOLERATS activity could be accounted for by any number of intelligence agencies active in the 
region, or a Palestinian faction, but it is also possible that MOLERATS is a multi-faceted group with several interests and/or 
clients. 


That MOLERATS apparently used spyware linked to the TRD suggests a possible connection between the TRD and 
MOLERATS. 


The Curious Case of the Shared Exploit 


We identified the following Word document uploaded to VirusTotal: 


SHA256: 22deea26981bc6183ac3945da8274111le7£d7a35fbb6da601348cc6d66240114 
Filename: 451311! gyw 2,)43.40с 


The document, whose name translates to “A Highly Classifed Report” downloads a FinFisher sample from 
http://workingulf.net/DFServ.exe. 


SHA256: e2ecf£89a49c125e0b4292645a41b5e97c0f 7b£15d418faeac0d592205f083119 


Filename: DFServ.exe 


The sample communicates with 50.31.252.xxx and 95.170.82.xxx, which are proxies for 62.114.252.xxx, the FinFisher Master 
we associated with Egypt’ s TRD. The domain workingulf.net appears to be connected to the TRD, because it is linked to 
a cluster of other domains, several of which were used to distribute TRD FinFisher samples. 


We developed a fingerprint for the exploit, based on the presence of a 1.1MB binary embedded in the Word Document. 
A week later, we identified another instance of this same exploit (the binary was the same). 


SHA256: d759dcbebee18a65fda434balda5d348c16d9d3775fel652aldac£983ffc9I3b8 


Filename: 2! 255221! .doc 


This instance downloaded spyware from http://wp.piedslibres.com/wp/wp-includes/js/Next.scr, which appeared to be a 
hacked WordPress site. 


SHA256: 08b32da8995ae094bf£b703d7d975c3816c£04c075c32281e51158164d76cd655 


Filename: Next.scr 


Next.scr is a bespoke malware that exfiltrates system information and files via email. The malware logs into an email 
account on the C&C server via SMTP, and sends mail to another account on the same server. We have seen C&Cs 
including: pal4u.net, pal2me.net, and shop8d.net. All of the domains have similar registrant information, indicating the 
work of a single group. 


The group appears to be based in Palestine. The use of a shared exploit suggests some link between the TRD and this 
group. 


FinFly Web in the Wild 


We traced workingulf.net, to a number of other domain names, including news-youm7.com (see Figure 10 below). 
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Figure 10: Domain names and IP addresses that we believe are associated with Egypt’ s TRD. We redact only live 
domains and IP addresses, and show full details for inactive ones. 


We found a FinFly Web sample at http://videos.news-youm7.com/youm7/videos/5671264.html. FinFly Web is a FinFisher 
product that allows customers to create a website to infect targets with spyware. We identified the sample as FinFly Web 


given substantial similarity with leaked FinFly Web code. 


// 


Adobe Reader XI 


Get the free, leading software for viewing PDF files. 


Figure 11: The FinFly Web page, asking users to install Adobe Reader XI. The download link points to a FinFisher spyware 
sample. 


The FinFly Web page appears to have a number of deficiencies. The attacker appears to have copied a page from the 
website of Egyptian newspaper Youm7, which appears in the background of the Adobe Reader popup. The attacker 
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apparently did not notice that the paths to the CSS resources are relative. Thus, the attack page tries to fetch CSS 
stylesheets and images from the attack site, rather than the legitimate page. Since the attacker neither copied these 
resources to the attack site, nor changed the relative paths to point to the legitimate site, the attack page looks 
malformatted. The attacker made the same mistake with the news ticker IFRAME, resulting inthe “Not Found” message 
in the background. Also, the attacker entitled the page “Video: Islamic State Enters Egypt,” but created a popup to 
install Adobe Reader, which is Adobe’ s product for viewing PDF files. It is likely that the attacker instead wanted to 
create a popup to install Adobe Flash, a plugin for viewing web videos. Additionally, the download link points to a гаг 


file,85 which is suspicious as Adobe does not distribute its products in .rar files. Finally, the .exe inside the .rar file is not 


melded with the Adobe Reader setup program, so a victim who executes the file may become suspicious when no 
Adobe setup program runs. 


Italy: Shift from Hacking Team to FinFisher? 


We identified one IP address in Italy (2.228.65.xxx) which served as a FinFisher server from 2014 to present. Earlier in 2014, 
and before our publication of our report on Hacking Team, the same ЇР address instead matched our fingerprint for 
Hacking Team spyware servers. This might indicate an Italian government agency switching from Hacking Team to 
FinFisher. 


Oman: Eagle Eye Digital Solutions LLC 


We found a FinFisher server running on IP address 37.139.27.xxx, which is pointed to by two subdomains of to70.org, a 
domain name associated with an Omani company called “Eagle Eye Digital Solutions ШС” through historical WHOIS. 
The domain is currently registered to “Omantel,” the largest telecom in Oman. Eagle Eye Digital Solutions LLC was 


founded by, and is run by, Warith A-Maawali.2° Leaked emails describe Warith as part of Oman’ s Ministry of Interior, as 
well as a reseller of FinFisher products.9/ Other sites apparently run by Eagle Eye include a major Omani online forum, 


“oman0.net.” Eagle Eye founder Warith Al Maawali says the forumis “one of the most active sites with the largest user- 
base in Oman.” 


An archived version of Eagle Eye’ s website on the Wayback Machine showed Elaman GmbH as опе of their partners, 


and “Security Organizations” as their clients. Elaman is known to be a reseller of FinFisher products.88 


STAY ASSURED 


Blog Products » Services » Traning » ients/Partners Support User CP Contact Us » About us 


Figure 12: Old version of Eagle Eye’ s website showing FinFisher reseller Elaman as a partner, and “Security 
Organizations” as among the firm’ s clients. 


Conclusion 


In this report we provided the first update on Citizen Lab’ s previous FinFisher scanning work since a widely discussed 2014 


K8? 


hack of FinFisher. Despite the disclosure of sensitive customer data in that hac and the potential customer concerns 


this might cause, our latest scans have detected FinFisher servers in more countries than any previous round of scanning. 


FinFisher is still being used by a number of previously identified government clients, including Ethiopia, which is the 


defendant in an ongoing lawsuit over previous FinFisher use.”2 We have also identified newly identified suspected 
customers, including: Angola, Egypt, Gabon, Jordan, Kazakhstan, Kenya, Lebanon, Morocco, Oman, Paraguay, Saudi 
Arabia, Slovenia, Spain, Taiwan, Turkey, and Venezuela. 


While we may not be detecting all FinFisher installations, this report’ s methods improved on both our ability to detect 
installations, and to attribute FinFisher servers to specific governmental customers, whom we named. A key goal of this 
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research is to provide a resource to those working on policy and research in this space. We also believe this kind of 
reporting is essential to help ensure that citizens have the opportunity to hold their governments accountable. To this end, 
we identify government users, but redact certain details about live infrastructure (like removing the last octet of IP 
addresses), whose disclosure might interfere with legitimately sanctioned activities. 


The Global Intrusion Software Market: Difficult to Study, Tricky to Regulate 


The market for intrusion software like FinFisher is challenging to track because the key players, from government 
customers to software developers, have a strong interest in keeping transactions private. However, several years of 
research, reporting, and revelations have made it clear that a growing list of countries have acquired, or are seeking 
these tools. 


As customer lists grow, so should concern over the documented abuse potential of intrusion software. Some governments 
clearly believe that it can be used, with proper oversight, in the service of legitimate criminal investigations and 
intelligence gathering. However, there are also well documented cases in which government customers have abused 
intrusion software to compromise political opponents within their borders, and overseas. 


The current market seems to bypass some historic limits on the spread of advanced technical intrusion capabilities. Lack 
of a strong Science, Technology, Engineering and Mathematics (STEM) education, or absence of long term investment in 
research and development pipelines, are no longer impediments to obtaining computer exploitation and intrusion 
capabilities. These tools are now available for purchase by any government. Certainly, lack of development in STEM 
should not preclude a country from having access to sophisticated investigative tools. Indeed, an under-resourced state 
is likely to face security challenges that are just as serious as a more developed one. 


However, it can be difficult even for democratic governments with a strong rule of law to oversee secret investigative 
capabilities like intrusion software. These tools are likely to be acquired and used by divisions that are professionally 
discreet in their budgeting and information sharing. The information they generate may also have its origins deliberately 
disguised before being shared with other departments or agencies. Intrusion software presents a challenge for 
accountability in any country, and the oversight authorities in under-resourced countries facing domestic or international 
security threats may be particularly ill-equipped in expertise and political clout, to identify or act on signs of misuse. 


Previous research has shown that FinFisher has been used to target regime opponents in several cases. Notably, FinFisher 
has been used to hack Ethiopian and Bahraini democracy activists and opposition political figures. Meanwhile, research 
and revelations about Hacking Team’ s Remote Control System (RCS), a competitor product, have also made it clear 
that some government customers used these tools to target their political opponents, rather than security threats to their 
citizens. 


Despite the well documented potential for abuse, the companies who develop and market these capabilities are 
reluctant and ill-equipped to conduct rigorous due diligence about potential customers, as recent revelations about 
Hacking Team have made clear. 


The Wassenaar Arrangement, which regulates the export of weapons, as wellas “dualuse” technologies, was 
amended in 2013 to include items related to intrusion software, like FinFisher and Hacking Team’ s RCS. Now, as 
participants like the European Union have undertaken their own implementations (or are still developing theirs as in the 
case of the United States), it remains to be seen whether or not this will lead to greater transparency and control, and 
what impact, if any, it will have on abusive surveillance. 


We hope that continued evidence-based research of this sort will contribute to greater overall transparency about this 
market, and provide much-needed points of reference for policy making and tracking the impact of regulatory efforts. 
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Appendix A: List of FinFisher Servers 


Server FinSpy Master IP | Master Country Date 


41.63.169.ххх 41.63.169.ххх Angola 2/2014 


176.67.169.ххх || 41.63.169.xxx Angola 2/2014 
81.246.44.xxx 81.246.44.ххх Belgium /2015 


78.46.172.ххх 80.65.75.ххх 


Bosnia and Herzegovina |} 12/2014 


180.235.133.ххх || 80.95.253.xxx Czech Republic 2/2014 


50.31.252.xxx || 62.114.252.xxx || Egypt 2/2014 
95.170.82.xxx || 62.114.252.xxx || Egypt 2/2014 


197.156.66.xxx | Ethiopia /2015 

206.190.159.ххх | Ethiopia 2/2015 

197.231.66.xxx Gabon 2/2014 
р 
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176.67.169.ххх 8.97.103.ххх | ndonesia 2/2014 
182.253.201 ххх || 182.253.201.xxx | ndonesia 2/2014 
50.31.240.ххх 2.78.143.ххх | ndonesia 2/2014 
50.31.255.xxx 03.28.56.ххх ndonesia 2/2014 
46.23.72.ххх 8.97.103.ххх ndonesia 2/2014 
206.190.159.ххх || 103.28.56.ххх | ndonesia 2/2014 
83.170.112.ххх 8.97.103.ххх ndonesia 2/2014 
206.217.196.xxx || 202.182.52.xxx ndonesia 2/2014 
216.119.149 ххх 8.97.103.ххх | ndonesia 2/2014 
82.253.201 ххх || 182.253.201.ххх | ndonesia 2/2014 
03.28.57 .xxx 03.28.57 .xxx ndonesia 2/2014 
206.190.159.ххх || 112.78.143.ххх ndonesia 2/2015 
82.253.201 ххх || 182.253.201 .xxx | ndonesia 3/2015 
82.54.232.ххх 80.250.74.ххх | ndonesia 3/2015 
2.228.65.ххх шу 2/2014 
85.8.106.xxx 93.146.250.xxx taly 2/2014 
58.255.208.ххх Jordan 2/2014 
09.123.112.ххх Јогаап 2/2014 
85.19.192.ххх Kazakhstan /2015 
78.208.76.ххх Kazakhstan 2/2015 
46.23.73.xxx 197.254.122.ххх | Kenya 3/2015 
212.98.139.ххх || 212.98.139.ххх Lebanon 2/2014 
77.42.156.ххх Lebanon 2/2014 
77.28.101.ххх Macedonia 2/2014 
77.28.102.ххх | Macedonia 2/2014 
79.125.161.ххх Macedonia 2/2014 
213.136.89.xxx || 211.25.14.ххх Malaysia 2/2014 
93.104.212.ххх | Malaysia 2/2014 
118.101.145.xxx [Matoysia 2/2014 
110.159.5.xxx Malaysia 2/2014 
201.122.183.xxx || 201.122.183.xxx | Mexico 2/2014 
31.192.226.xxx 103.230.82.ххх [mongole 2/2014 
76.67.169.ххх [Morocco 2/2014 
76.67.168.ххх || 81.192.4.ххх Могоссо 2/2014 
09.123.86.ххх ||81.192.4.ххх Могоссо 2/2014 
76.67.172.ххх || 81.192.4.ххх [Morocco 2/2014 
76.67.172.ххх || 81.192.4.ххх [Morocco 2/2014 
37.123.115.ххх || 41.242.50.xxx Nigeria 2/2014 
176.67.172.ххх || 204.14.42.ххх Nigeria 2/2015 
85.154.222.ххх | Oman 2/2014 
146.185.163.xxx Oman 5/2015 
190.128.172.ххх Рагадиау 2/2014 
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158.255.215.ххх || 95.76.221 xxx Romania 12/2014 
62.149.86.ххх Saudi Arabia 12/2014 
77.31.27 ххх Saudi Arabia 1/2015 
37.107.117.xxx Saudi Arabia 2/2015 
2.90.15.ххх Saudi Arabia 5/2015 
2.89.48.ххх Saudi Arabia 5/2015 
95.218.27.ххх Saudi Arabia 5/2015 
95.178.51.ххх Serbia 12/2014 
93.9.21 ххх Slovenia 12/2014 
05.224.57.ххх South Africa 2/2015 
05.228.145.xxx South Africa 5/2015 
92.96.200.ххх || 79.144.61.ххх Spain 2/2014 
41.215.240.ххх || 79.144.61.xxx Spain 2/2014 
62.87.109 ххх | Spain 2/2014 
209.59.205.ххх || 79.144.61.ххх [spoin 2/2014 
209.59.213.ххх || 79.144.61.xxx Spain 2/2014 
212.166.246.xxx Spain 2/2014 
47.60.110.ххх | Spain 2/2015 
190.14.38.ххх 79.144.61.ххх Е 2/2015 
123.51.216.xxx амап 2/2014 
212.156.217.ххх urkey 5/2015 
217.174.229 ххх | urkmenistan 2/2014 
217.174.229 ххх urkmenistan 2/2014 
217.174.229 ххх urkmenistan 2/2014 
217.174.226.xxx | urkmenistan 2/2014 
185.8.106.xxx | Venezuela 2/2014 
151.236.13.ххх || 62.153.225.ххх Demonstration Server 2/2014 
158,255.21 2.xxx Demonstration Server 2/2014 
80.156.28.xxx | Demonstration Server 2/2014 
151.236.23.ххх | 62.153.225.ххх | Demonstration Server 2/2014 
106.186.24.xxx || 62.153.225.xxx Demonstration Server 2/2014 
117.102.124.ххх Demonstration Server 5/2015 
37.139.27.ххх | 2/2014 
151.236.13.ххх | 2/2014 
46.4.148.xxx 2/2014 
185.15.245.xxx 2/2014 
37.17.173.ххх | 2/2014 
95.170.88.ххх 2/2014 
89.46.101.ххх 2/2014 
194.58.97.ххх | 2/2014 
116.251.208.xxx | 2/2014 
| 
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212.71.232 ххх | 2/2014 
209.208. 108.xxx | 2/2014 
OS OS 22 Xxx | 2/2014 


62.220.246.ххх 2/2014 
88.122.76.ххх 2/2014 
89.46.101.ххх | 2/2014 
90.97.165.ххх 2/2014 
16.251.223.ххх 2/2014 


92.64.11 .xxx 2/2014 


82.54.233.ххх | 2/2014 


03.246.249 ххх 2/2015 
17.121.243.ххх 2/2015 


92.99:151 ххх 5/2015 


62.220.246.ххх | 5/2015 


73.255 143 ххх 5/2015 
79.43.160.ххх 6/2015 


98.105.122.xxx 6/2015 


50.31.255.ххх | 6/2015 


175.139.238.ххх 6/2015 
131.72.138.ххх 6/2015 


185.11.146.ххх | 6/2015 


105.228.147.xxx | 6/2015 
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